[+] Aurora::ProcessesConfig
[*] Fixed stupid thread leak from a non-ipc semaphore being used under cow pages
This commit is contained in:
parent
8adb2a476a
commit
2ed05ce8dd
@ -118,21 +118,6 @@ namespace Aurora
|
||||
AuOptional<AuString> optDefaultBrand { "Aurora SDK Sample" };
|
||||
bool bForceOverlappedUtilsToDelegatedThreadPool { false };
|
||||
bool bIsIntranetTrusted { false };
|
||||
bool bBypassInternetBlockCheckOpenFile { false }; // Disables the file origin check under the AuProcesses::OpenXXX APIs.
|
||||
// The AuFS trust APIs are to be used with project files that may contain build/init code hooks, and to be used with untrusted files that may contain executable code.
|
||||
// By default, AuProcesses::s assume any file downloaded from the internet or an instant messenger is defacto malware thanks to shitty Linux programs and historical Windows sandbox escapes.
|
||||
// Think this is overkill? Nah. Linux devs are dumber than a bag of rocks: https://nvd.nist.gov/vuln/detail/cve-2023-43641, https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4#t=0.001
|
||||
// And then theres: https://nvd.nist.gov/vuln/detail/cve-2021-4214 ( we cant trust libpng )
|
||||
// : https://nvd.nist.gov/vuln/detail/cve-2023-4863 ( we cant trust libvpx )
|
||||
// : https://nvd.nist.gov/vuln/detail/cve-2020-17541 (+2022-37769, 2023-37837, et al) ( we cant trust libjpegturbo )
|
||||
// (and, no, dumbasses shilling rust: no language or design goals are ever going to change runtime exploits abusing opted-out bound-checks of compressed formats for the sake of perf over integrity)
|
||||
// (for now, we just have to say, "fuck anything that came from the internet" rather than astroturfing coolaid solutions. )
|
||||
// (moving to a "everything is malware unless it came from me"-model is where we need to be at. internet advertising companies, namely google and adobe, have low standards for security. for - )
|
||||
// (- instance, chrome is full of use after free issues because they hire cheap eastern-bloc developers that constantly mess up vector iteration and raw pointer life-times. google killed flash- )
|
||||
// (- despite having the capability to sandbox it for over a decade, see: nacl. flash and java drivebys were a thing for way too long. the formats we use are overly complex garbage. )
|
||||
// ( we cant trust anyone. )
|
||||
// ( wake me up when OS sandboxing isnt a joke despite almost 4 decades of MMU protections; and when we start adopting easy to implement, memory-optimized, and structurally sound formats again. )
|
||||
|
||||
};
|
||||
|
||||
struct DebugConfig
|
||||
@ -284,6 +269,25 @@ namespace Aurora
|
||||
bool bEnablePreload { true };
|
||||
};
|
||||
|
||||
struct ProcessesConfig
|
||||
{
|
||||
// Disables the file origin check under the AuProcesses::OpenXXX APIs.
|
||||
// The AuFS trust APIs are to be used with project files that may contain build/init code hooks, and to be used with untrusted files that may contain executable code.
|
||||
// By default, AuProcesses::s assume any file downloaded from the internet or an instant messenger is defacto malware thanks to shitty Linux programs and historical Windows sandbox escapes.
|
||||
// Think this is overkill? Nah. Linux devs are dumber than a bag of rocks: https://nvd.nist.gov/vuln/detail/cve-2023-43641, https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4#t=0.001
|
||||
// And then theres: https://nvd.nist.gov/vuln/detail/cve-2021-4214 ( we cant trust libpng )
|
||||
// : https://nvd.nist.gov/vuln/detail/cve-2023-4863 ( we cant trust libvpx )
|
||||
// : https://nvd.nist.gov/vuln/detail/cve-2020-17541 (+2022-37769, 2023-37837, et al) ( we cant trust libjpegturbo )
|
||||
// (and, no, dumbasses shilling rust: no language or design goals are ever going to change runtime exploits abusing opted-out bound-checks of compressed formats for the sake of perf over integrity)
|
||||
// (for now, we just have to say, "fuck anything that came from the internet" rather than astroturfing coolaid solutions. )
|
||||
// (moving to a "everything is malware unless it came from me"-model is where we need to be at. internet advertising companies, namely google and adobe, have low standards for security. for - )
|
||||
// (- instance, chrome is full of use after free issues because they hire cheap eastern-bloc developers that constantly mess up vector iteration and raw pointer life-times. google killed flash- )
|
||||
// (- despite having the capability to sandbox it for over a decade, see: nacl and win8/10. flash and java drivebys were a thing for too long. the formats we use are overly complex garbage. )
|
||||
// ( we cant trust anyone. )
|
||||
// ( wake me up when OS sandboxing isnt a joke despite almost 4 decades of MMU protections; and when we start adopting easy to implement, memory-optimized, and structurally sound formats again. )
|
||||
bool bBypassInternetBlockCheckOpenFile { false };
|
||||
};
|
||||
|
||||
struct IOConfig
|
||||
{
|
||||
AuUInt32 uProtocolStackDefaultBufferSize { 64 * 1024 };
|
||||
@ -369,6 +373,7 @@ namespace Aurora
|
||||
AuAlignTo<128, LinuxConfig> linuxConfig;
|
||||
AuAlignTo<128, Win32Config> win32Config;
|
||||
AuAlignTo<128, ProcessConfig> processConfig;
|
||||
AuAlignTo<128, ProcessesConfig> processesConfig;
|
||||
AuAlignTo<128, IOConfig> ioConfig;
|
||||
AuAlignTo<128, DummyConfig> padding;
|
||||
|
||||
|
@ -14,7 +14,7 @@
|
||||
|
||||
namespace Aurora::Processes
|
||||
{
|
||||
static void UnixOpenAsyncThread(AuString uri, int iType)
|
||||
static void UnixOpenPartiallyBlocking(AuROString uri, int iType)
|
||||
{
|
||||
bool bDirExists {};
|
||||
bool bFileExists {};
|
||||
@ -32,7 +32,7 @@ namespace Aurora::Processes
|
||||
return;
|
||||
}
|
||||
|
||||
if (bFileExists && !gRuntimeConfig.fio.bBypassInternetBlockCheckOpenFile)
|
||||
if (bFileExists && !gRuntimeConfig.processesConfig.bBypassInternetBlockCheckOpenFile)
|
||||
{
|
||||
if (AuFS::IsFileBlocked(uri))
|
||||
{
|
||||
@ -69,14 +69,7 @@ namespace Aurora::Processes
|
||||
bool bIsForcedDBUS = optStringB && optStringB.Value() == "YES";
|
||||
bool bAllowDbus = !optStringC && (AuFS::FileExists("/usr/bin/gdbus") || AuFS::FileExists("/bin/gdbus"));
|
||||
|
||||
if (bIsFireJail || bIsForcedDBUS || bAllowDbus)
|
||||
{
|
||||
gUseDShid = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
gUseDShid = false;
|
||||
}
|
||||
gUseDShid = (bIsFireJail || bIsForcedDBUS || bAllowDbus);
|
||||
});
|
||||
|
||||
if (!gUseDShid)
|
||||
@ -93,37 +86,40 @@ namespace Aurora::Processes
|
||||
{
|
||||
AuFS::GoUpToSeparator(out, uri);
|
||||
}
|
||||
uri = AuString(out);
|
||||
uri = out;
|
||||
}
|
||||
}
|
||||
|
||||
AuSemaphore semaphore;
|
||||
auto pSemaphore = AuLoop::NewLSSemaphoreSlow();
|
||||
if (!pSemaphore)
|
||||
{
|
||||
SysPushErrorIOResourceFailure();
|
||||
return;
|
||||
}
|
||||
volatile int type2 = iType;
|
||||
|
||||
auto iFork = fork();
|
||||
if (iFork == 0)
|
||||
{
|
||||
setsid();
|
||||
|
||||
// isn't posix fun?
|
||||
PosixDoForkHooks();
|
||||
PosixShutup();
|
||||
PosixFDYeetus();
|
||||
|
||||
auto pBaseURI = (char *)SysAllocateLarge(uri.size() + 1);
|
||||
if (pBaseURI)
|
||||
{
|
||||
AuMemcpy(pBaseURI, uri.c_str(), uri.size() + 1);
|
||||
AuMemcpy(pBaseURI, uri.data(), uri.size());
|
||||
pBaseURI[uri.size()] = 0;
|
||||
}
|
||||
|
||||
int iType = type2;
|
||||
|
||||
// ...super fun
|
||||
semaphore->Unlock(1);
|
||||
// ...the original iType and uri buffer will be trashed from this point onwards
|
||||
// isn't posix fun?
|
||||
setsid();
|
||||
pSemaphore->AddOne();
|
||||
// the original iType and uri buffer will be trashed from this point onwards
|
||||
PosixFDYeetus();
|
||||
PosixDoForkHooks();
|
||||
PosixShutup();
|
||||
|
||||
// and as if dealing with posix isn't bad enough...
|
||||
// here's some more redhat/lennart poettering/dbus/xdg bullshid
|
||||
// here's some more redhat/lennart poettering/dbus/xdg bullshid requiring stringified leaked closexecless file descriptors
|
||||
if (gUseDShid)
|
||||
{
|
||||
const char *pExecString {};
|
||||
@ -193,7 +189,7 @@ namespace Aurora::Processes
|
||||
}
|
||||
else if (iFork > 0)
|
||||
{
|
||||
semaphore->Lock();
|
||||
pSemaphore->WaitOn();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -205,7 +201,35 @@ namespace Aurora::Processes
|
||||
return;
|
||||
}
|
||||
|
||||
#if 0
|
||||
// TODO: If we are to truly care about the AuFS::XXXExists stats, create an ordered work queue for a singlar thread,
|
||||
// like the NT version of this file. Should anyone want to write a xdg-open-like util, it's possible for this
|
||||
// detached thread to be forcefully terminated before the setsid(). A singular thread would guarantee order
|
||||
// and hide any (networked?) filesystem stalls.
|
||||
//
|
||||
// - On Linux caching away these issues -
|
||||
//
|
||||
// Linux aggressively caches inodes leading idiots to believe linux io is somehow superior to NT and FreeBSD
|
||||
// - its not, *spawn thread* *spawn thread*, tell u what, *kthread_create* - even though it's really just
|
||||
// usecases like this, opens without lock advisories, where Linux pretends to be faster through caching we
|
||||
// probably shouldn't expect, want, or desire. Who wants heavy caching under an OS that randomly OOM kills?
|
||||
// Who wants defacto unsafe removal storage? Who wants Linus malding over "database dbs" for daring to want
|
||||
// less abstractions in the form of "i know best" caches - """"optimizations"""""? Linshit is held together
|
||||
// by god damn sellotape, their file systems are a clusterfuck, there's no efficient IO scheduler, and ofc
|
||||
// everything god damn thing has to block. I digress..
|
||||
//
|
||||
// On the plus side, our stats should be basically free memcpys of user-prewarmed directory nodes between IPC
|
||||
// boundaries. I mean, the end-user didn't just guess the realpath, no? The calling thread didn't just guess the
|
||||
// existence of a file, did it? Odds are, we wont need to hit any form of IO before the real work under a fork.
|
||||
// I guess we can trust Linuxs crappy caching to nuke the requirement of a thread pool; unlike Win32, that needs
|
||||
// a COM initialized thread and will probably ad-hoc link in shell libraries [slowly].
|
||||
//
|
||||
// It is therefore the case we shouldn't need a worker thread for Linux.
|
||||
//
|
||||
AuThreads::Spawn(std::bind(&UnixOpenAsyncThread, AuString(uri), iType), true);
|
||||
#else
|
||||
UnixOpenPartiallyBlocking(uri, iType);
|
||||
#endif
|
||||
}
|
||||
|
||||
AUKN_SYM void OpenUri(const AuROString &uri)
|
||||
|
@ -59,7 +59,7 @@ namespace Aurora::Processes
|
||||
continue;
|
||||
}
|
||||
|
||||
if (bFileExists && !gRuntimeConfig.fio.bBypassInternetBlockCheckOpenFile)
|
||||
if (bFileExists && !gRuntimeConfig.processesConfig.bBypassInternetBlockCheckOpenFile)
|
||||
{
|
||||
if (AuFS::IsFileBlocked(uri))
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user